Iubenda logo
Start generating


Table of Contents

A Closer Look at Special Categories of Personal Data

Data privacy laws around the world like the GPDR in Europe have established a much-needed framework for the collection, use and storage of personal data. As a business, you cannot handle data however you want to. This is even more true of special categories of personal data, that, due to their nature, are subject to particular attention.

👀 In this article, we take a look at the GDPR definition of special categories and how you should handle this type of data.

special categories of personal data

Special Categories of Personal Data: Article 9

What are GDPR Special Categories?

The expression “special categories of personal data” is the GDPR’s way of referring to sensitive data. They are defined in GDPR Article 9 as data which is of:

  • racial or ethnic origin;
  • political opinions;
  • religious or philosophical beliefs;
  • trade union membership;
  • genetic data;
  • biometric data (i.e. fingerprints, face recognition, DNA, etc.);
  • data concerning health;
  • data concerning a natural person’s sex life or sexual orientation.

🔍 Read our article for an overview of what is considered sensitive personal information around the world.

  • A healthcare provider collecting and storing a patient’s medical history and health data (i.e. illnesses, and disabilities);
  • An employer collecting information about an employee’s trade union membership and political opinions;
  • A social media platform collecting information about users’ religious beliefs and sexual orientation in order to show targeted advertisements;
  • A financial institution collecting and storing information about a customer’s criminal convictions.

Personal Data vs. Sensitive Personal Data

As you can see from the description above, sensitive personal data can be considered as more “invasive” or “risky” compared to regular personal data.

Sensitive information, in particular, could potentially lead to things like discrimination against individuals. Which is why you should be even more careful to avoid any sensitive data exposure.

💡 Not sure if the GDPR applies to you?

🚀 Do this free 1-min quiz to find out!

What You Should Do When Handling Special Categories of Personal Data

Under the GDPR, for collecting or processing any type of personal data, you need to have explicit and informed consent from individuals, as well as give the necessary disclosures via a privacy policy.

While these requirements apply to personal data in general, there are some GDPR requirements that specifically apply to special categories of personal data. Here are 3 cases below.

💡 Did you know sensitive personal information gets special attention in US privacy laws?

🇺🇸 Needless to say, handling sensitive data calls for stricter rules outside Europe too!

👉 Check out our US State Privacy Laws Overview

Appoint a Data Protection Officer (DPO)

A Data Protection Officer (DPO) is usually appointed by a company to ensure that personal data is processed following the applicable data protection rules.

Under Article 37 of the GDPR, you are legally-required to designate a DPO if you carry out certain types of processing activities, including when your core activities consist of large-scale processing of sensitive data.

💡 This means if the GDPR applies to you and if you process special categories of personal data on a large scale, you must appoint a DPO.

Perform a Data Protection Impact Assessment (DPIA)

Similar to the previous DPO requirement, the GDPR especially requires you to carry out a DPIA when processing special categories of personal data on a large scale.

A Data Protection Impact Assessment allows you to analyze and minimize risks associated with personal data processing.

🔍 Here is a free template we have on DPIA. Click here to check it out!

Keep Records of Processing Activities

Still under the GDPR, data controllers and processors are expressly required to maintain “full and extensive” up-to-date records of the company’s data processing activities when it involves handling special categories of data.

This can be quite challenging to implement!

🚀 That’s why we recommend using a dedicated tool like our Internal Privacy Management. It allows you to add processing activities from 1700+ pre-made options, divide them by area, assign processors and other member roles, and to document legal bases and other GDPR-required records.

Do you handle special categories of personal data?

Easily keep track of your processing activities to comply with GDPR